Lucene search
K
OsvMost viewed

906003 matches found

OSV
OSV
•added 2024/07/26 7:19 a.m.•124 views

BIT-GITLAB-2024-7060 Exposure of Sensitive Information to an Unauthorized Actor in GitLab

An information disclosure vulnerability in GitLab CE/EE in project/group exports affecting all versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows unauthorized users to view the resultant export...

6.5CVSS4.4AI score0.00302EPSS
Exploits0References2
OSV
OSV
•added 2024/07/26 7:18 a.m.•124 views

BIT-GITLAB-2024-7091 Exposure of Sensitive Information to an Unauthorized Actor in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user...

5CVSS4.1AI score0.00312EPSS
Exploits0References2
OSV
OSV
•added 2024/04/03 12:0 p.m.•124 views

RUSTSEC-2024-0332 Degradation of service in h2 servers with CONTINUATION Flood

An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely. This results in an increase in CPU usage. Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency. Mo...

7AI score
Exploits0References3
OSV
OSV
•added 2022/05/13 1:6 a.m.•124 views

GHSA-JWVW-V7C5-M82H protobuf susceptible to buffer overflow

protobuf allows remote authenticated attackers to cause a heap-based buffer overflow...

8.8CVSS8.3AI score0.05106EPSS
Exploits0References37
OSV
OSV
•added 2022/01/01 12:0 a.m.•124 views

ASB-A-123700107

In checkKeyIntent of AccountManagerService.java, there is a possible permission bypass. This could lead to local information disclosure with User execution privileges needed. User interaction is needed for exploitation...

5CVSS4.9AI score0.00156EPSS
Exploits0References2
OSV
OSV
•added 2025/07/21 6:24 a.m.•123 views

MAL-2025-6022 Malicious code in eslint-config-prettier (npm)

This package installs a windows based malware file node-gyp.dll via install.js...

7.1AI score
Exploits0References1
OSV
OSV
•added 2025/04/10 7:10 a.m.•123 views

BIT-ELASTICSEARCH-2024-52981

An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow...

7.5CVSS5.1AI score0.00511EPSS
Exploits0References2
OSV
OSV
•added 2025/03/29 7:12 a.m.•123 views

BIT-GITLAB-2024-9773 Improper Neutralization of Special Elements used in a Command ('Command Injection') in GitLab

An issue was discovered in GitLab EE affecting all versions starting from 14.9 before 17.8.6, all versions starting from 17.9 before 17.8.3, all versions starting from 17.10 before 17.10.1. An input validation issue in the Harbor registry integration could have allowed a maintainer to add malicio...

8CVSS4.2AI score0.00238EPSS
Exploits1References3
OSV
OSV
•added 2024/11/03 4:58 p.m.•123 views

MAL-2024-10319 Malicious code in appdynamics-libagent-napi (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b3ccb8490c24108245e9e5e4893518e881e48f0dafa4b0ad152ab458de4e7b1b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score
Exploits0References1
OSV
OSV
•added 2023/02/27 7:15 p.m.•123 views

CVE-2023-24249

An arbitrary file upload vulnerability in laravel-admin v1.8.19 allows attackers to execute arbitrary code via a crafted PHP file...

7.2CVSS7.5AI score0.02382EPSS
Exploits3References3
OSV
OSV
•added 2025/04/07 2:37 p.m.•122 views

CVE-2025-30373 Graylog Authenticated HTTP inputs do ingest message even if Authorization header is missing or has wrong value

Graylog is a free and open log management platform. Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value the correct HTTP...

6.5CVSS6.4AI score0.00289EPSS
Exploits0References4
OSV
OSV
•added 2024/03/06 10:59 a.m.•122 views

BIT-GITLAB-2023-4379 Incorrect Authorization in GitLab

An issue has been discovered in GitLab EE affecting all versions starting from 15.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated...

8.1CVSS7.5AI score0.00502EPSS
Exploits0References2
OSV
OSV
•added 2021/04/30 5:35 p.m.•122 views

GHSA-XRX6-FMXQ-RJJ2 Timing attacks in python-rsa

It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA...

8.2CVSS6.3AI score0.01631EPSS
Exploits1References18
OSV
OSV
•added 2024/11/28 7:11 p.m.•121 views

BIT-GITLAB-2024-8177 Inefficient Algorithmic Complexity in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, starting from 17.6 prior to 17.6.1 which could cause Denial of Service via integrating a malicious harbor registry...

7.5CVSS5.7AI score0.00571EPSS
Exploits0References3
OSV
OSV
•added 2024/03/06 10:53 a.m.•121 views

BIT-APACHE-2022-22721 core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody

If LimitXMLRequestBody is set to allow request bodies larger than 350MB defaults to 1M on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier...

9.1CVSS9.3AI score0.41861EPSS
Exploits0References17
OSV
OSV
•added 2022/08/21 12:0 a.m.•121 views

OSV-2022-763 Heap-buffer-overflow in sqlite3VdbeExec

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50466 Crash type: Heap-buffer-overflow READ Crash state: sqlite3VdbeExec sqlite3step osquery::readRows...

7.2AI score
Exploits0References1
OSV
OSV
•added 2021/02/01 12:0 a.m.•121 views

ASB-A-134155286

In parseNextBox of IsoInterface.java, there is a possible leak of unredacted location information due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation...

9.3CVSS8AI score0.02063EPSS
Exploits0References2
OSV
OSV
•added 2019/01/04 5:45 p.m.•121 views

GHSA-RPRW-H62V-C2W7 PyYAML insecurely deserializes YAML strings leading to arbitrary code execution

In PyYAML before 5.1, the yaml.load API could execute arbitrary code. In other words, yaml.safeload is not used. This was intended to be fixed in 4.1, but due to breaking changes, 4.1 was yanked and 5.1 contains the patch for CVE-2017-18342...

9.8CVSS7.1AI score0.06031EPSS
Exploits1References14
OSV
OSV
•added 2025/03/13 7:14 a.m.•120 views

BIT-MARIADB-2023-52970

MariaDB Server 10.4 through 10.5., 10.6 through 10.6., 10.7 through 10.11., 11.0 through 11.0., and 11.1 through 11.4. crashes in Itemdirectviewref::derivedfieldtransformerforwhere...

4.9CVSS5.1AI score0.00423EPSS
Exploits0References3
OSV
OSV
•added 2025/01/30 7:13 p.m.•120 views

BIT-GITLAB-2025-0290 Loop with Unreachable Exit Condition ('Infinite Loop') in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 prior to 17.5.5, from 17.6 prior to 17.6.3, and from 17.7 prior to 17.7.1. Under certain conditions, processing of CI artifacts metadata could cause background jobs to become unresponsive...

4.3CVSS4.1AI score0.00358EPSS
Exploits0References2
OSV
OSV
•added 2024/05/31 6:30 a.m.•120 views

GHSA-8HQG-WHRW-PV92 Ollama does not validate the format of the digest (sha256 with 64 hex digits)

Ollama before 0.1.34 does not validate the format of the digest sha256 with 64 hex digits when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring...

8.8CVSS7.6AI score0.89633EPSS
Exploits4References9
OSV
OSV
•added 2024/03/06 11:6 a.m.•120 views

BIT-PYTHON-2021-3737

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability...

7.5CVSS7.7AI score0.11586EPSS
Exploits1References13
OSV
OSV
•added 2023/01/17 8:15 p.m.•120 views

CVE-2022-36760

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in modproxyajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions...

9CVSS8.9AI score
Exploits0References2
OSV
OSV
•added 2022/06/20 8:16 p.m.•120 views

MAL-2022-2945 Malicious code in extraneous-dev-dep (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e08815dacf458e78940833dd89e08a808779aabda6f12833e3ca42e28a3d0cdf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score
Exploits0References1
OSV
OSV
•added 2021/11/23 5:53 p.m.•120 views

GHSA-GX3F-HQ7P-8FXV Code injection in spring-cloud-netflix-hystrix-dashboard

Applications using the spring-cloud-netflix-hystrix-dashboard expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at /hystrix/monitor;user-provided data, the path elements following hystrix/monitor are being evaluated ...

7.6CVSS8.8AI score0.12694EPSS
Exploits0References2
OSV
OSV
•added 2025/03/15 7:19 a.m.•119 views

BIT-GITLAB-2024-7296 Incorrect Authorization in GitLab

An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users...

2.7CVSS3.4AI score0.00339EPSS
Exploits1References3
OSV
OSV
•added 2024/07/15 12:0 a.m.•119 views

DSA-5730-1 linux - security update

Bulletin has no description...

9.8CVSS7.9AI score0.21314EPSS
Exploits4
OSV
OSV
•added 2022/06/20 6:20 p.m.•119 views

MAL-2022-276 Malicious code in @flameshot-org/fetlife-assets (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware dfc208be31b8f932d6175ac98e7ddc5249c25d6e735a9af5a2c8266770cb9a45 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score
Exploits0References1
OSV
OSV
•added 2016/12/24 12:0 a.m.•119 views

DSA-3746-1 graphicsmagick - security update

Bulletin has no description...

10CVSS7.3AI score0.97485EPSS
Exploits13
OSV
OSV
•added 2025/03/15 7:16 a.m.•118 views

BIT-GITLAB-2024-8402 Improper Neutralization of Special Elements used in a Command ('Command Injection') in GitLab

An issue was discovered in GitLab EE affecting all versions starting from 17.2 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. An input validation issue in the Google Cloud IAM integration feature could have enabled a Maintainer to...

7.4CVSS3.9AI score0.00228EPSS
Exploits1References3
OSV
OSV
•added 2024/08/21 3:29 p.m.•118 views

GO-2022-0846 Gitea Remote Code Execution in github.com/go-gitea/gitea

Gitea Remote Code Execution in github.com/go-gitea/gitea...

8.8CVSS8.9AI score0.55578EPSS
Exploits3References8
OSV
OSV
•added 2024/03/06 11:10 a.m.•118 views

BIT-WORDPRESS-MULTISITE-2021-29447 WordPress Authenticated XXE attack when installation is running PHP 8

Wordpress is an open source CMS. A user with the ability to upload files like an Author can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has...

7.1CVSS6.4AI score0.85719EPSS
Exploits20References8
OSV
OSV
•added 2024/01/30 7:36 p.m.•118 views

CVE-2024-24558 react-query-streamed-hydration xss

TanStack Query supplies asynchronous state management, server-state utilities and data fetching for the web. The @tanstack/react-query-next-experimental NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or...

8.2CVSS6.6AI score0.00385EPSS
Exploits0References4
OSV
OSV
•added 2023/12/15 11:43 p.m.•118 views

GHSA-QQHQ-8R2C-C3F5 nvdApiKey is logged in debug mode

Summary The value of nvdApiKey configuration parameter is logged in clear text in debug mode. Details The NVD API key is a kind of secret and should be treated like other secrets when logging in debug mode. Expecting the same behavior as for several password configurations: just print Note that...

3.3CVSS5.1AI score0.00598EPSS
Exploits0References2
OSV
OSV
•added 2023/11/01 12:0 a.m.•118 views

ASB-A-291299076

In createFromParcel of UsbConfiguration.java, there is a possible background activity launch BAL due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation...

7.8CVSS7.8AI score0.00186EPSS
Exploits0References2
OSV
OSV
•added 2023/05/02 9:31 p.m.•118 views

GHSA-7MMC-22G7-3XQ2 Moodle SQL Injection vulnerability

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request to the affected application and execute limited SQL commands within the application database...

7.3CVSS6.5AI score0.01142EPSS
Exploits0References12
OSV
OSV
•added 2022/08/05 7:15 a.m.•118 views

CVE-2022-37434

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call...

9.8CVSS3.5AI score
Exploits0References27
OSV
OSV
•added 2022/02/16 10:30 p.m.•118 views

GHSA-HRHX-6H34-J5HC Skip the router TLS configuration when the host header is an FQDN

Impact People that configure mTLS between Traefik and clients. For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. - When sending a request using FQDN handled by a router configured with a dedicated TLS...

7.4CVSS7.4AI score0.01688EPSS
Exploits0References6
OSV
OSV
•added 2024/12/20 12:8 p.m.•117 views

CGA-3P7C-2H7X-XXJX

Bulletin has no description...

5.3CVSS6.2AI score0.00856EPSS
Exploits0
OSV
OSV
•added 2024/12/07 5:57 a.m.•117 views

BELL-CVE-2024-12254

Bulletin has no description...

7.5CVSS7.6AI score0.0188EPSS
Exploits0References2
OSV
OSV
•added 2024/09/30 8:53 a.m.•117 views

BIT-GITLAB-2024-8974 Incorrect Provision of Specified Functionality in GitLab

Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."...

4.3CVSS4AI score0.00268EPSS
Exploits0References2
OSV
OSV
•added 2024/09/07 4:15 p.m.•117 views

CVE-2023-46809

Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/hkario/marvin/, if PCKS 1 v1.5 padding is allowed when performing RSA descryption using a privat...

6.6AI score
Exploits0References1
OSV
OSV
•added 2023/06/26 9:30 p.m.•117 views

GHSA-257Q-PV89-V3XV Duplicate Advisory: jQuery Cross Site Scripting vulnerability

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jpcq-cgw6-v4j6. This link is maintained to preserve external references. Original Description Cross Site Scripting vulnerability in jQuery v.2.2.0 until v.3.5.0 allows a remote attacker to execute arbitrary code...

6.1CVSS6.6AI score
Exploits5References12
OSV
OSV
•added 2025/07/16 8:19 a.m.•116 views

BIT-MYSQL-CLIENT-2025-30722

Vulnerability in the MySQL Client product of Oracle MySQL component: Client: mysqldump. Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise...

6.8CVSS5.1AI score0.00406EPSS
Exploits0References4
OSV
OSV
•added 2022/07/15 11:30 p.m.•116 views

GO-2022-0493 Incorrect privilege reporting in syscall and golang.org/x/sys/unix

When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible...

5.3CVSS8.6AI score0.02593EPSS
Exploits1References4
OSV
OSV
•added 2022/05/14 3:48 a.m.•116 views

GHSA-WR5J-Q359-6VR2 backup-agoddard and backup_checksum have Information Exposure vulnerability

1 lib/backup/cli/utility.rb in the backup-agoddard gem 3.0.28 and 2 lib/backup/cli/utility.rb in the backupchecksum gem 3.0.23 for Ruby place credentials on the openssl command line, which allows local users to obtain sensitive information by listing the process...

7.8CVSS7.4AI score0.00512EPSS
Exploits1References7
OSV
OSV
•added 2022/04/11 9:30 p.m.•116 views

GHSA-XXX9-3XCR-GJJ3 XML Injection in Xerces Java affects Nokogiri

Summary Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to 2.12.2, which addresses CVE-2022-23437. That CVE is scored as CVSS 6.5 "Medium" on the NVD record. Please note that this advisory only applies to the JRuby implementation of Nokogiri = v1.13.4. Impact CVE-2022-23437 in...

6.5CVSS7.2AI score0.0444EPSS
Exploits0References6
OSV
OSV
•added 2021/06/21 8:15 p.m.•116 views

CVE-2020-27511

An issue was discovered in the stripTags and unescapeHTML components in Prototype 1.7.3 where an attacker can cause a Regular Expression Denial of Service ReDOS through stripping crafted HTML tags...

7.5CVSS6.6AI score0.02455EPSS
Exploits1References3
OSV
OSV
•added 2018/10/17 6:28 p.m.•116 views

GHSA-6FVX-R7HX-3VH6 JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.

JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java...

9.8CVSS9.5AI score0.27873EPSS
Exploits0References7
OSV
OSV
•added 2025/10/09 6:5 a.m.•115 views

BELL-CVE-2025-61984

Bulletin has no description...

3.6CVSS7AI score0.00218EPSS
Exploits2References1
Total number of security vulnerabilities5000